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ABSTRACT 


This thesis reports the results of a study which tested 
participants’ abilities to recall five different types of computer 
passwords. Each participant was assigned in a randomized procedure 
to one of six response intervals. Recall testing of computer-generated 
passwords, user-created passwords,  passphrases, associative 
passwords and cognitive passwords was conducted using a computer 
program which simulated system log-on procedures. This study 
indicates the relative merits of these five password types are more 
difficult to distinguish when data are collected in the realistic setting 
of a log-on simulation instead of via paper surveys, as was done in 
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I. INTRODUCTION 


A. THE NEED FOR COMPUTER SECURITY 

In the immediate aftermath of the Persian Gulf War, U.S. 
Department of Defense (DoD) investigators found that computer 
hackers from the Netherlands were able to copy and modify data 
related to wartime U.S. military operations, as well asinformation on 
the transport of military equipment and personnel. Investigators 
reported the hackers gained access by using default passwords and 
exploiting flaws in computer operating systems (Alexander, 1991). 

A study by the U.S. General Accounting Office found that 30% 
of the computer systems on Internet, a wide area computer network 
with thousands of subscribers, could be accessed by a password 
derived from a user identification, log-on, or identification spelled 
backwards (Salamone, 1991). Passwords based on log-on, user 
identification, or user name are vulnerable to "intelligent guessing" by 
would-be intruders. A password which appearsinthe dictionary (that 
is, a password which 1s an actual word) may be recovered through the 
use of a program which employs a computerized dictionary to rapidly 
guess tens of thousands of potential passwords. 

Theuse of computers by governments, businesses and individuals 
continues to grow. Thousands of corporations, educational 


institutions and public agencies electronically link their mainframe 


computer systems to promote efficiency through ease of information 
exchange. Additionally, a booming segment of the data processing 
market in recent years has been small, portable computers which can 
be used away from the office. A traveler who uses a laptop or 
notebook for on-the-go computing often uses the same computer to 
communicate via modem with thehome office for end-of-the-day data 
dumps, electronic mail, or transmission of memos. Hence, 
accessibility of office computer systems hasincreased concurrent with 
the rapidly-growing portable computer market. While networking 
and interconnectivity of computer systems have numerous 
advantages, they provide an easy avenue for intruders to gain access 


to computer resources. 


B. USER AUTHENTICATION MECHANISMS 

A person who uses a computer without authorization may do so 
for a number of reasons. Among the simplest of these is theft of 
computing services. Many computer systems charge customers a fee 
based on usage; an uncertified user receives services for free. 
Sometimes the motivation for invasion of a computer system is 
malicious or mischievous. The intruder's intent may beto do damage 
in the former case or simply to experience the thrill of outsmarting the 
computer's security systems in the latter. Often the intruder seeks 
access to a computer's data for purposes of gaining information or 


modifying the data (Pfleeger, 1989, pp. 11-13). 


To prevent the loss, modification or compromise of data which 
can result when unauthorized persons are able to log-on to a 
computer, several user authentication mechanisms are available to 
system admunistrators. 
1. Biometric Devices 
Biometric authenticators use a person’s physical traits to 
verify his/her identity. The many security tools in this category work 
in a similar manner: a biometric portrait of the subject is scanned or 
read by sensor devices, converted into digital data and stored. When 
an authorized user desires access to a protected computer, the trait 
used for authentication is tested and compared with the stored data 
(Alexander, 1990). 
a. Handprint and Fingerprint Readers 
Both handprint and fingerprint readers depend on the 
uniqueness of each individual’s hand geometry or fingerprint ridges 
to identify him/her. Handprint readers’ also called palm readers 
measure the relative lengths of fingers when the hand is placed upon 
a template. Some models may scan lines on the palm of the hand. 
Because of the simple yet effective principle behind this design, 
handprint readers were the first type of biometric device to be made 
avallable on the commercial market (Parks, 1990). 
Fingerprint readers scan to a finer degree than handprint 
readers and record measurements of the loops, whorls and arches that 


make up asingle fingerprint. These devices are the lowest-cost option 


for biometric security. A fingerprint reader can be purchased for as 
little as $1000 (Alexander, 1990). 
b. Voice Analyzers 

A more elaborate biometric scheme involves testing a 
user's identity through voice recognition. A digitized pattern of an 
authorized user's voice is maintained by the computer. A typical 
scenario calls for the user to identify him/herself via the computer 
keyboard. The user then recites one or more words or phrases, which 
the computer compares with stored data, in order to gain access to the 
system. Such an authentication mechanism can be used when the user 
is physically located near the computer or can be used via phone lines 
(Penzias, 1990). 

c. Retina Scanners 

The pattern of blood vessels on the inside of an eyeball is 
unique for each person even identical twins. Retina scanners use this 
fact to verify a person's identity. A beam of low-intensity infrared 
light enters the eye through the pupil and scans a circular pattern 
upon the retina. A portion of the light is reflected back to a 
photodetector which records data at hundreds of points as the light 
beam traverses its arc. These data, a series of digitally-coded light 
intensity levels, are compared with future scans to authenticate a user 


requesting access (Fitzgerald, 1989). 


d. Keystroke Analyzers 

Among the more interesting concepts used to authenticate 
users 1s that of keystroke latencies, the elapsed time between 
keystrokes the user makes while using a computer keyboard. 
Research has shown that for repeatedly sampled strings of characters 
a person’s Keystroke pattern can be juSt as unique as a signature. The 
same muscles and neurological factors that form a signature are used 
for typing; it is therefore logical that each person types in a unique 
way that can be measured (Joyce and Gupta, 1990). 

Employing this method, a new user to the computer 
system might be asked to repeatedly type his/her name or, for better 
security, a phrase of his/her own choosing for the authenticator 
software. A mean digital signature is then calculated from the several 
samples. The signature consists of the average latency between each 
successive keystroke. Future log-on attempts are then compared with 
the latency signature to validate the user (Joyce and Gupta, 1990). 

e. Signature Analyzers 

A person’s signature has long been acustomary means of 
identification for official matters. Methods exist which allow a 
computer to identify a person by examining the characteristics of 
his/her signature. One approach is to optically scan a signature 
written on a ordinary piece of paper; the scan results can be digitized 


and compared with future signatures. Unfortunately, a digital record 


ofthe staticimage of asignature leaves the computer open to spoofing 
by skilled forgers (Mital and Lau, 1989). 

A better means of recording a signature is through an 
examination of a person's handwriting dynamics. The pressure 
exerted on a piece of paper by the writing instrument as it is moved 
through the signature process is as unique as the signature itself. 
Furthermore, pressure variances are not visible during or after the 
signing process. This eliminates the forgery problem noted above. 

In this method, an individual signs his/her name using a 
stylus on a pressure-sensitive pad. Varying pressure on the pad 
generates a voltage which is measured digitally. The pressure on the 
pad 1s sampled numerous times during the signing; the resulting plot 
of voltage versus time produces a pressure waveform characteristic of 
the individual's signature. This waveform can be compared against 
subsequent signatures in future log-on attempts (Mital and Lau, 
1989). 

A second method of signature dynamics measurement 
involves quantifying the writing instrument's motion as opposed to 
the pressure it exerts on the writing surface. A person signs his/her 
name with a pen which is wired to a port in the computer. During the 
signing, the pen’s motion is tracked by piezoelectric accelerometers 
wired to it. In this way, the exact movement of the pen ıs recorded 


and can be compared against future signatures. (Fitzgerald, 1989). 


f. Drawbacks 

While biometric authentication eliminates the possibility 
of unauthorized log-on through compromise of a password, the 
methods discussed above have limitations. Changes in a person's 
physical characteristics or health can affect a test’s outcome. A user 
who cuts his finger may not pass a fingerprint reader's scrutiny while 
another who sees her manicurist may alter the dimensions of her hand 
as seen by a handprint reader. A person who catches a cold may find 
a voice analyzer unable to recognize her speech while an amateur 
athlete suffering from tennis elbow might type or write differently and 
be unrecognized by a keystroke or signature analyzer. Finally, the 
purchase, installation and operation of these systems can be expensive 

for small businesses. 

2. Security Token Methods 

Rather than identifying a person by his/her physical 
characteristics, security tokens depend upon the possession of a device 
to verify a user is who he/she claims to be. Tokens can be employed 
by themselves to identify a computer user or they can be used to 
provide a third level of computer security in addition to the 
commonly-used log-on name and password. Security tokens have 
become more popular in recent years because of the growing number 
of people who use computers remotely via wide area network or 


modem (Wood, 1991). 


a. Magnetic Cards 

Probably the simplest security token technique calls for 
users to be issued a card which contains identifying information, 
usually on a magnetic stripe. The card is examined by a reading 
device; 1f it contains a signature the device recognizes, the bearer of the 
card is allowed access to the computer system. This application is 
most often used to control access to the area of computer terminals as 
opposed to individual terminals. To regulate each microcomputer or 
mainframe terminal individually requires each terminal have a card 
reader. 

b. Smart Tokens 

Other techniques escape the need for a magnetic reader. 
One method employs a device the size of a credit card which generates 
and displays a new password at some regular interval. An electronic 
clock in the card’s microprocessor 1s synchronized with a similar clock 
in the host computer. When a user calls the host, he/she inputs a 
personal identification number and the card-generated password. 
Since both are required for a successful log-on, only an authorized 
user in possession of the smart token can gain access to the computer. 
Periodic regeneration of passwords prevents an intruder from making 
use of old passwords (Fitzgerald, 1989). 

A similar procedure involves the use of a small calculator- 
like device. During log-on, the host computer displays a challenge 


number to the terminal which the user keys into the device. Using an 


algorithm known to the host, the device calculates and displays a 
response. The user then inputs this in answer to the host's challenge 
number. After receiving the correct passcode, the host computer asks 
for a conventional user identification and password. The passcode 
thus provides a third level of security in addition to the other two log- 
on parameters (Wood, 1991). 
c. Screen Readers 
Another variation of the smart token procedure calls for 
the host computer to display on the user’s screen a bar code like the 
Ones used in supermarkets. The bar code challenge is scanned by a 
matchbook-sized token carried by an authorized user; the token 
displays a response number which the user inputs at the keyboard. A 
drawback to this method becomes apparent with the use of laptop and 
notebook computers. Some of these machines’ displays lack the 
brightness to allow the bar code reader to accurately scan the code on 
the screen (Wood, 1991). 
3. Passwords 
Despite the availability of the computer security measures 
mentioned above, most computer systems which require user 
authentication still use a combination of user identification a user's 
name orassignedID code anda password known to the user and the 
host computer. Passwords are the simplest way to incorporate 
security into a computer system. Software to enable their use is 


readily available or can easily be written from scratch. Password- 


based authentication procedures are easy to use, and the cost of their 
administration is low. Care must be taken, however, in the creation 


and use of passwords to ensure they enhance system security. 
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11. USER IDENTITY VERIFICATION WITH PASSWORDS 


A. INTRODUCTION 

Because of their simplicity of use, low cost and ease of 
implementation passwords are the most widely employed means of 
user authentication in computer systems. Typically, a person who 
desires to log-on to acomputer enters a portion of his/her name or an 
assigned user identification code along with a password. If the 
computer's log-on software verifies the identification and password 
match correctly with stored data, then the user is granted access. 
Depending upon the security requirements of the system, the user may 
be asked to provide additional passwords to access specific files, 
directories, procedures or application programs. Often, however, a 
user 1S given "carte blanche" access to a system’s resources after 


correctly entering only one password. 


B. THE IMPORTANCE OF SECURE PASSWORDS 
Because a single password is frequently a computer system’s only 
line of defense against intruders, as much effort as possible should go 
into selecting a password which will resist attempts at intrusion. A 
secure password should be impossible to guess and easy for the user 
to remember (Smith, 1991). Unfortunately, these two qualities are 


mutually exclusive to a degree. A random string of uppercase and 
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lowercase letters, numbers, and other keyboard symbols is very 
difficult to guess, but it is also difficult to remember. Users of such 
passwords often write them down so they won’t be forgotten. This 
degrades the secrecy of the password and thus the computer security 
it provides. 
l. Selecting Secure Passwords 
Computer intruders often gain initial access to a system 
through intelligent guessing. A spouse's name, a portion of one's 
social security number, anniversary dates, birthdays, one's address 
all are examples of publicly-available information from which many 
computer users create passwords. Robert Morris, a designer of the 
Internet worm which caused damage to dozens of computer systems, 
has compiled a list of 73 words that can access at least one user on 
90% of the large computer systems on Internet (Salamone, 1991). 
Computer users must be made aware of techniques which can 
dramatically improve the security of passwords they create. 
Adherence to a few simple rules allows users to design 

customized, easily-remembered passwords that are also secure 
(Padovano, 1991). 

e Include digits in the password 

e Mix uppercase and lowercase letters 

* Don't use a proper name or variation of a proper name 


e Don’t use a word found in a dictionary 


ዘ 


* Don't use QWER TY keyboard patterns such as "asdfgh" or 
"a;sldkfj" 


Two methods of password creation which typically result in 
hard-to-guess passwords involve combining two words or using the 
first letters of a multi-word phrase (Smith, 1991). For instance, a 
cooking enthusiast who also likes to vacation at Lake Tahoe might 
combine the words "chef" and "Tahoe" to create "chefTahoe". In an 
example of the second method, the same cooking enthusiast might 
create a password from the phrase "barbecued spare ribs with honey 
glaze sauce": "bbqsrwhgs". To further increase security, these 
methods can be applied in order to guarantee the inclusion of 
uppercase and lowercase letters as well as digits. For instance, the 
phrase "My friend Harriet has two children" might create the 


password "MfHh2c". 


C. TYPES OF PASSWORDS TESTED 
The study that is the basis for this thesis compared rates of recall 
of five different types of password mechanisms. Each 15 described 
below. 
1. Computer-generated Passwords 
Perhaps the simplest way to ensure a user employs a secure 
password is to arbitrarily assign one. A person who has no input in 
the creation of a password will not have the opportunity to create a 
personalized password vulnerable to intelligent guessing. Hence, some 


computer systems simply assign passwords to their users. Those 
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systems which use this method often utilize a computer program 
which produces passwords created from random alphanumeric 
characters. While this method yields passwords which are very secure, 
it has a large disadvantage in that users invariably find such 
passwords hard to remember. They therefore often resort to writing 
down the password asa memory aid; unfortunately, the act of writing 
down the password also degrades security. 

Previous research (Beeden bender, 1990) found that although 
13% of the people given a random, computer-generated password 
were able to remember it after a period of three months, 86% of them 
were able to do so only because they had written the password down. 
Better results were achieved when the computer-generated passwords 
were designed to be non-sensical but pronounceable non-dictionary 
words. In this case, the successful recall rate after three months was 
38%. Of those who correctly remembered the password, 67% said 
they recalled it because it was pronounceable. Another 17% wrote it 
down. 

2. User-created Passwords 

Computer systems which allow users to construct their own 
passwords most frequently employ the user-created password as a 
means of identity verification. This is usually done with restrictions 
on password length (a minimum and maximum number of characters 
are specified) and on content (spaces and some non-alphanumeric 


keyboard characters may not be allowed). Additionally, the system’s 
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password algorithm may not distinguish between uppercase and 
lowercase forms of the same letter. 

User-created passwords are susceptible to the variety of 
vulnerabilities discussed in previous sections of this chapter. Previous 
research (Sawyer, 1990) has shown that users frequently choose 
passwords which are less than secure and seldom change them. In a 
survey of mainframe computer users who were allowed to create their 
own passwords, 65% reported their passwords were based on a 
meaningful detail in their lives such as a name or date. 80% used only 
alphabetic characters in their passwords. Despite being allowed to 
construct their own password, 20% of users admitted they still found 
it necessary to write the password down. Finally, 80% of those polled 
said they never changed their password, while an additional 15% said 
they changed passwords less frequently than once a year. It can thus 
be seen that, despite their popularity, user-created passwords can have 
a host of security weaknesses unless the means of their creation 15 
carefully monitored. 

3. Passphrases 

A passphrase attempts to make a password harder to guess 
through sheer arithmetic. Passphrases have the same characteristics 
as passwords, but they are longer. The user 1s encouraged to create a 
multi-word phrase in the hope that the phrase's length will create so 
many possible character combinations that an intruder will be 


deterred from attempting a brute-force guessing attack. Even if a user 
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creates a passphrase about a meaningful detail of his/her life, it is still 
theoretically more secure than a detail-based password because of its 
greater length. Because it contains multiple words separated by 
Spaces, computerized dictionary searches are ineffective against a 
passphrase. 
4. Associative Passwords 

Smith (1987) advocates a system which attempts to solve the 
password memorability problem by giving the user a "hint" about the 
password. Associative passwords employ a cue/response format. A 
user creates a list of cue words or short phrases and a response 
word/phrase to go with each cue. For instance, one of a user's cues 
might be "skung"; the proper response might be "Keystone" (a ski 
resort in the Denver area). Smith suggests a profile of 20 cue/response 
pairs be created by each user. During log-on the user may be required 
to correctly respond to, say. five cues.  Associative passwords 
theoretically offer a balanced mix of security and memorability. If the 
user avoids the use of easily guessed cue/response pairs (e.g., dog/cat, 
fast/slow, etc.), he/she can create a unique profile of password pairs 
that are resistant to intelligent guessing. Furthermore, associative 
passwords may be more easily remembered because the user 1s given 


the cue word/phrase to aid recall of the response word/phrase. 
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5. Cognitive Passwords 

Cognitive passwords make use of the uniqueness of an 
individual's personal history, perceptions and opinions to confirm 
his/her identity. Initially, users are asked a set of simple questions, 
each of which seeks a short answer. The questions are styled so that 
the response from a particular person will be unique to that person. 
At the same time, the answer should not be common knowledge or 
publicly-available information. An example of a good cognitive 
password question might be Who us your favorite professional 
entertainer? The answer to such a question would obviously vary 
from person to person. Conversely, On what date were you born? is 
a poor question because the answer is publicly available (Zviran and 
Haga, 1990). 

As 1s the case with associative passwords, a user initially 
creates a profile of cognitive passwords in response to a series of 
questions. During the log-on process, the user 1s required to correctly 
respond to one or more questions in order to be granted access. A 
properly-designed set of cognitive password questions will elicit a 
unique set of responses that are resistant to intelligent guessing. 
Furthermore, memorability should be improved because the user 1s 
required to simply remember the answer to an easy question he/she 


has answered before. 
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D. SUMMARY 

Passwords are a widely employed method of computer user 
verification. Although the user-created password is the most well 
known and most frequently used, it is also prone to human frailties 
which often decrease its security. Other password formats exist which, 
in theory, offer the combination of increased security and greater ease 


of memorability. 
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111 RESEARCH METHODOLOGY 


A. BACKGROUND 

The principal goal of this study is to compare computer users’ 
abilities to recall five password types over six intervals of time. 
Toward that goal, study participants were asked to create a series of 
passwords, then attempt to recall those passwords at a later date. 
There are two important differences between the methodology used 
inthis study and that used in previous similar research (Beedenbender, 
1990; Hulsey, 1989.) First, previous researchers collected their data 
through pencil-and-paper surveys, whereas this study employed a 
more realistic computer-based setting. Second, the recall abilities of 
participants in previous research were tested after only one interval 
three months. This study assigned each participant to one of six recall 
intervals: three days, one week, two weeks, one month, one-and-one- 
half months and two months. By collecting data at these different 
times, the study hoped to measure the decline in recall of passwords 
which would likely occur as the intervals lengthened. Additionally, 
there is the opportunity to compare the relative recall successes of the 
six password types with an eye toward determining if some types are 


more easily recalled at specific intervals. 
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B. METHODOLOGY 
l. Data Collection Description 
In order to simplify the gathering of data from six separate 
groups of participants (one for each of the six recall intervals) and to 
simulate an actual computer log-on environment, data collection was 
accomplished with the use of a computer program. 
a. Study Participants 
Graduate students in information systems management 
as well as in general management curricula participated in the study. 
b. Detailed Study Description 
Following printed instructions, study participants ran a 
simulation program installed on a local-area network in a 
microcomputer laboratory. The program provided each person with 
a basic understanding of the concepts being tested and his/her 
contribution to theresearch effort. The study introduction viewed by 
participants 1s shown in Appendix A. 
c. Identifying Participants 
Figure 1 illustrates personal identification data items 
collected from each participant during his/her first use of the program. 
Participants’ names and student mailing center (SMC) box numbers 
were collected to allow reminder notices to be sent shortly before each 
participant’s scheduled return visit. The three-digit curricular code 
indicates the type of degree a given student is pursuing. The last four 


digits of a student’s ID number were used to create unique names for 
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computer files in which to store his/her password profile and recall 


data. 


Enter your last name: 
Enter your first name: 
Enter your SMC number: 


Enter your three-digit curriculum 
code: 


Enter the last four digits of your 
Student ID number: 


Enter the course in which you 
received your asSignment to use 
this program: 





Figure 1 Identifying data collected from study participants 


d. Creation of Password Data 
After providing the computer program with the above 
information, a participant then viewed a series of five instructional 
screens, each of which assigned a password or asked him/her to create 
a password. Each study participant was assigned a computer- 
generated password in the first of these instructional screens (see 


Figure 2). 
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Passwords which contain randomly-selected characters are 
inherently more secure than passwords which reflect a 
detail of a user's life.  Computer-generated passwords 
enhance security, but are difficult to remember. These 
passwords are often forgotten or written down. 


AS a compromise, this study's computer-generated passwords 
have been limited to non-sensical but pronounceable "words" 
of at least eight characters. Your system-assigned 
password is shown below. Do your best to memorize it 
before you move on to the next scree, but PLEASE DO NOT 
WRITE IT DOWN. 


Although it will be difficult to remember this arbitrarily- 
generated password at a future date, the percentage of 
persons able to recall such passwords is among the data 
points this study seeks to gather. 


Your assigned computer-generated password is - 


(Computer-generated password given here) 





Figure 2 Assignment of computer-generated password 


The next screens asked participants to create a single 
password of their own devising, a passphrase, 20 associative password 
combinations, and 20 cognitive passwords. The order in which these 
four screens were presented was randomized so that each of the 24 (4!) 
possible sequences was shown to an equal number of participants. 
This randomizing process was intended to guard against user fatigue 
during the session which might have caused passwords created in the 
later stages of the session to beless easily remembered. Sincea similar 
number of participants created the four password types in any given 


order, the possibility of skewing overall recall results toward the 
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password types created in the early parts of the session was eliminated. 
The instructional screen and input mechanism for user-created 


passwords is shown in Figure 3. 


User-created passwords are a commonly-used means of access 
control. In this section of the program, you will be asked 
to create a password. The password should be at least six 
and not more than ten characters long. 


The password you create should contain no spaces; however, 
all other keyboard characters are permitted. Note that the 
computer considers uppercase and lowercase letters to be 


different. Thus, "ILuvMyCar" and "ILUVMYCAR" are NOT the 
Same password. 


Do your best to make up a password which is unique to you 
and which you be able to recall when tested later. 


Enter a password of your own choosing (6-10 characters)- 
(User inputs his/her password at this point) 





Figure 3 Instructions for the user-created password 


Figure 4 depicts a computer screen describing the creation 
of a passphrase with attention drawn to the use of uppercase and 
lowercase letters and spaces. Because a mixture of cases can make a 
password or passphrase more secure, participants were allowed to mix 
them. The user-created passwords and passphrases devised by study 
participants were captured exactly as they weretyped; an exact match 


was required in the recall phase to count as a successful simulated log- 
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on. An exact match of uppercase and lowercase letters was required 
for only these two password types. This case sensitivity was invoked 
in order to make the log-on simulation more closely reflect actual 
log-on practices. Inputs for system-created passwords and associative 


and cognitive passwords were not case-sensitive. 


Passphrases are like passwords — only longer. A 
passphrase is a sentence or phrase used to authenticate a 
user's identity instead of a password. The additional 
length of the passphrase adds to security by increasing 
the number of possible character combinations. Some 
examples of passphrases are: 


My dog Spot hunts rabbits Saddam H. smokes dope 
IWISHIWEREINFLORIDA Red skies MAKE me blue 
Madonna should go to charm school 


Note that the use of uppercase and lowercase letters and 


placement of spaces in the passphrase are unique 
attributes. For example, "My brother likes football" and 
"my Brother Likes fooTball" are NOT the same 
passphrase. 


In this section of the program, you will be asked to 
create a passphrase. Try to make up a phrase that is 
unique to you and that you will remember when your recall 
is tested later. 


Enter yor passphrase (up to 70 characters) - 
(User inputs passphrase af this point) 





Figure 4 Instructions for creation of a passphrase 


Figure 5 shows the instructions that participants received 
to guide them through the creation of 20 sets of associative password 


cues and responses. 
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Associative passwords are word pairs which "go together" d 
your mind. Each pair consists of a cue word and a related 
response word. The pairs are designed so that the cue word 
causes the individual to think of the proper response word. 
Several examples of associative passwords are listed below: 





Friend Mary Sports Tennis 
Music Violin Uncle Fred 


Cue Response Cue Response 


Many Such cue/response combinations exist. These word 
pairs are unique to each person as long as one avoids the 
| , use of trivial pairings (up:down or dog:cat, for example). 


You will now be asked to create 20 cue/response pairs. 
= When you run this program at a later date, you will be 
prompted with some of the cue words you create and asked to 
supply the correct responses. Do your best to create word 
pairs which are unique to you and which you will remember. 
It may be helpful for you to create your password pairs 
with a central theme in mind. 








Band Aerosmith Cola Shasta 
| 








Figure 5 Instructions for creation of associative passwords 


Participants were asked to create a profile of cognitive 
passwords. Figure 6 shows the instruction screen used to introduce 


participants to the cognitive password concept. 
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The noun "cognition" is defined as "the act or process of 
knowing" or "something known or perceived." Cognitive 
passwords are based on a person's perceptions, personal 
intereets and personal history. This method of user 
authentication employs a question-and-answer format, where, 
instead of entering just one password, a user must answer 
more than one question to gain access. Examples of 
cognitive password questions are listed below: 


What is the name of your favorite professional athlete? 
What was the name of your first boyfriend/girlfriend? 
What was your favorite class in high school? 


You will now be asked to answer 20 cognitive password 
questions. When you use this progra again at a later date, 
your ability to recall the answers to some of the questions 
will be tested. 





Figure 6 Instructions for the creation of cognitive passwords 


Figure 7 shows the cognitive password questions used for 
this study. Some questions required objective answers which do not 
change (From what elementary school did you graduate?) while others 
ask for subjective opinions which may change over time ( What Is your 
favorite restaurant?). 

e. Assignment oí a Return Date 

After creation of the five password types, each participant 
was assigned a time interval after which he/she was asked to return to 
the computer lab in order to recall the passwords in a simulated log- 


on session. 
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Who is your favorite musician/musical group? 

Who is your favorite movie star? 

What is the name of your favorite restaurant? 

. What is your favorite city in the world? 

From what elementary school did you graduate? 

What is the name of your mother's hometown? 

What was the name of your high school's mascot? 

What was the model of the first car you owned? 

. What is your favorite dessert? 

. Who was your best friend in high school? 

. What is your family's favorite vacation spot? 

. Which of your hobbies do you like most? 

. In your opinion, who was history's greatest leader? 

. If you could choose another career, what would it be? 

. Who was your favorite high school teacher? 

. Who was the best athlete in your high school class? 

. Who was the smartest student in your high school 
class? 

. What is the name of your favorite aunt or uncle? 

. In what city do/did your favorite grandparents live? 

. Who is your most important role model outside your 
family? 
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Figure 7 Cognitive password questions 


Figure 8 shows the computer screen used to make this 
return date assignment. The computer program chose a return 
interval by cycling through the six intervals as persons used the 
program. Each succeeding participant was assigned the next interval. 
In this manner an even number of participants were assigned to each 
of the six intervals. Appendix B provides an overview of the recall 


intervals and their assignment. 
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RETURN DATE ASSIGNMENT 


To complete your participation in this study, you must 
return to this computer lab at a later date and run this 
program again. When you use the program for the second 
time, you will be asked to recall some of the passwords 
you have created today. 


You will be assigned to return after one of six intervals: 
three days, one week, two weeks, one month, one and one 
half months, and two months. Measurement of password 


recall abilities as they decline with time is a central 
goal of this study. For this reason, make every effort to 
use the program again after exactly the interval 
requested. This is especially important if the interval 
is small (three days, one week) since a deviation of even 
one day is statistically significant. 


(Assignment of return interval made at this point) 


Please take note of this interval and make every effort to 
return on exactly the day requested. 





Figure 8 Assignment of a return date 


2. Testing Recall of Passwords 
Participants were reminded of the approach of their return 
date through notices placed in their student mailing center boxes using 
data on participant name and SMC number. At the return session, 
each participant ran the same computer simulation program he/she 
used to create passwords at the first session. Now, however, the 


program tested his/her recall of those passwords. 
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a. Testing Password Recall 
As in the password creation phase of the study, 
participants were presented with an instruction screen to guide them 
through each step of recall testing. Figure 9 is the instruction screen 
used for recall testing of the participant’s assigned computer- 
generated password. The datum collected by the computer program 
during this recall phase was the number of tries necessary for the user 


to successfully recall the password. 


COMPUTER-GENERATED PASSWORD 


Your first task will be to recall the computer - 
genertated password assigned to you when you used this 
program for the first time. You may remember that the 
computer-generated passwords used in this study are at 
least eight characters long and are non-sensical but 
pronouncable "words." You will have three attempts to 


correctly recall your computer-generated password. 


Enter your assigned computer-generated password - 





Figure 9 Computer-generated password recall instructions 


Figure 10 depicts the instruction screen presented to guide 
the participant through recall of his/her user-generated password. In 
the event that the participant had forgotten the distinctions between 
the various types of passwords, this and following screens served to 
refresh his/her memory. The instructions also contain a reminder 
about the possible use of both uppercase and lowercase letters in the 


chosen password. 


USER-GENERATED PASSWORD 


You are next asked to recall the password your created 
when you used this program for the first time. Asa 
reminder, the password you were asked to create is 
from six to ten characters long and may not contain 
Spaces. It may, however, contain both uppercase and 
lowercase letters and other keyboard characters such 
as numbers and punctuation symbols. You will have 
three attempts to corredctly recall your user- 
generated password. 


Enter the password you created - 





Figure 10 User-generated password recall instructions 
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Figure 11 15 the instruction screen used to prompt the 
user's recall of the passphrase he/she created. Again, the instructions 


remind the user about the characteristics of the password type being 


tested. 


PASSPHRASE 


You are next asked to recall the passphrase you created 
when you used this program for the first time. You may 
remember a passphrase is a phrase or short sentence of 
70 characters or less. The placement of spaces and use 
of uppercase and lowercase letters within the phrase 
are unique attributes. You will have three attempts to 
correctly recall your passphrase. 


Enter your passphrase - 





Figure 11 Passphrase recall instructions 


The simulated log-on using associative passwords 
required a user to correctly respond to five password cues in order for 
the log-on to be considered successful. From the 20 associative 
password pairs created by the participant, five cues were randomly 
selected by the computer. Feedback on the success of the each 


participant's recall was provided only after all five responses had been 
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given. In the event one or more of the responses were wrong, another 
set of five cues was randomly selected from the 20 pairs. Use of a cue- 
response pair in one group did not preclude it from being included in 
a subsequent group of five pairs. Figure 12 shows the instructions the 


user received for associative password recall. 


ASSOCIATIVE PASSWORDS 


Associative passwords, you may remember, are pairs of 
cue and response words or short phrases. You created 
twenty such pairs in your previous session with this 
program. The program will present you with five of the 
cues from your associative password data set; you will 
be asked to enter the proper response for each cue. 


If your answer to one or more of the cues is incorrect, 
you will be asked to respond to a new set of five cues. 
No specific feedback about which responses are 
incorrect will be given; you will be told only that one 
or more responses are wrong. You will be allowed three 
attempts to supply a correct response to each of five 
cues. 
Cue 1: Cue words supplied by Response 
Cue 2: the computer ab Response 
Cue 3; Using passwor Response 3: que word. 
Cue 4; Tiles created by each Response 4; ዓፄ 
5 


Cue Response 


. user. 





Figure 12 Associative password recall information 


Animportant facet of the test was the lack of feedback on 
which response a user might have gotten wrong. In the event of an 
error, only the fact that one or more of the responses was incorrect 
was reported to the user. Additionally, the associative password 


testing was non-case-sensitive. This contrasts with the case sensitivity 


present in the user-created password and passphrase tests. While the 
use of mixed uppercase and lowercase letters was encouraged to create 
uniqueness among the latter two types of passwords, the associative 
password recall test did not include this feature. Therefore, the 
computer counted responses as correct regardless of their case. 
Figure 131s the instruction screen presented before recall 


testing of cognitive passwords. 


COGNITIVE PASSWORDS 


When you used this program for the first time you 
learned that cognitive passwords are short responses to 
questions about a person's preferences, perceptions or 
personal history. You provided responses to twenty 
cognitive password questions. The program will present 
you with five questions from your cognitive password 
data set; you will be asked to enter the correct answer 
to each question. 


If your answer to one or more of the questions is 
incorrect, you will be asked to respond to a new set of 
five questions. No specific feedback about which 
questions have been answered incorrectly will be given; 
you will be told only that one or more responses are 
wrong. You will be allowed three attempts to supply a 
correct response to a set of five questions. 





Figure 13 Cognitive password recall instructions 


As was the case for associative recall testing, the study 
participant was given three chances to correctly answer five cognitive 


questions in a row; no specific feedback about errors was given. Since 
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the participant's memory of short answers to personal questions was 
the element being tested, the computer was not sensitive to the use of 
uppercase or lowercase letters. 
b. Gathering Demographic Data 

After the participant finished the five recall tests, his/her 
test scores were recorded in a computer file. He/she was then asked 
for several pieces of demographic information. Participants were 
questioned about their previouscomputer experience. Each wasasked 
the number of years of previous computer experience he/she had and 
the types of computers (e.g., micro, mini, mainframe) he/she had used 
before. Each person was asked to rank the five password categories, 
first by ease of use then by ease of recall. Finally, participants were 
questioned about the mechanisms they used to remember their 
computer-generated password and the user password and passphrase 
they made up themselves. Each of these questions appeared only if 
the participant successfully recalled the type of password about which 
the question sought information. For instance, the user was asked 
how he/she remembered the passphrase only if he/she had correctly 
recalled it earlier in the program. Following these questions, the 
participant was presented a signoff screen thanking him/her for taking 


part in the study; the program then ended. 
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IV. FINDINGS 


A. COMPARISON OF SIMULATED LOG-ON SUCCESSES 

Of the 225 participants who were asked to take part in the 
password study, 183 completed their first session of the program. Of 
those, 164 returned to use the simulation a second time and complete 
the experiment; however, only participants who returned on or near 
the correct date (according to the interval assigned to them) or on a 
date corresponding to another of the study’s six recall intervals 
provided usable data. Thus, 148 persons (66% of those asked to 
participate) contributed usable data to the study. 

Table 1 provides a summary of recall successes as demonstrated 
by successful simulated log-ons. 

TABLE 1 


SUCCESSFUL SIMULATED LOG-ONS SUMMARIZED 
BY PASSWORD TYPE 


ES (44%) 71 (48%) = 1 33t) 48 (3ረፄ) 29826335) 
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Figure 14 presents the recall data in graphic form. 
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Figure 14 


l. Recall of Associative and Cognitive Passwords 
Because study participants were required tocorrectly answer 
five consecutive associative Cues or cognitive questions to be credited 
with a successful log-on, the data in Table 1 and Figure 14 do not 
reflect the question-by-question success rate for these password 
categories. Table 2 provides a summary of the percentages of 
associative and cognitive passwords correctly remembered in each 


recall interval. 
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TABLE 2 
RECALL SUCCESSES FOR ASSOCIATIVE 
AND COGNITIVE PASSWORDS 


m pom [o9 














1 week 


Lm fo 
Lee e 


2 months 


Ali intervals 


2. Recall success versus log-on attempts 
For each of the five password categories, the study 
participant was permitted up to three log-on attempts. A correct 
response to any of the attempts constituted a successful simulated log- 
on. Table 3 provides a summary of the ability of all participants to 


correctly recall each password type on the first, second, or third try. 


m 


TABLE 3 
SIMULATED LOG-ON SUCCESSES 
BROKEN DOWN BY ATTEMPT 


Ist attempt 2nd attempt 3rd attempt 
Password type successful successful successful 


User-created 1% 
a ND 


es i 
Ke ሸ ሸሰሆጀከየበ 






E- we 
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Data in Table 3 are a further breakdown of data in the final 
row of Table 1. 
3. Recall of cognitive passwords 
A summary Of participants’ abilities to answer each of the 
study’s 20 cognitive password questions 1s presented in Table 4. The 
percentage in the table’s second column is obtained by dividing the 
number of correct responses to that question by the total number of 


times the question was presented in the recall phase of the study. 
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TABLE 4 
COGNITIVE PASSWORD RECALL 
BROKEN DOWN BY QUESTION 


Correct 





Cognitive Password Question Responses 


Tm meme es 


What is the name of your mother's hometown? 80% 
Whomesp your favorite musician/mUsical group? 


7 





6 
6 
6 


9% 
9% 
8% 
67% 
67% 
67% 
66% 


6 


What is the name of your favorite aunt or uncle? 





Which of your hobbies do you like most? 


60 
60 
60 
sie, 
28 
26 
35 


DN 
oo 


$ 
% 
% 
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o 
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Who is your most important role model outside your 38$ 


family? 
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B. METHODS OF RECALL 
1. Computer-generated passwords 
Each participant who was able to correctly recall his/her 
computer-generated password, user-generated password and 
passphrase was asked to specify the recall mechanism he/she used. 
Table 5 summarizes the recall methods used by participants who 
correctly remembered the computer-generated passwords assigned 


them. 


TABLE 5 
METHODS USED TO RECALL 
COMPUTER-GENERATED PASSWORDS 


Participants 
Method of Recall Used [Method (Orr A | this method 


Remembered because it was 


pronounceable 





Totel successful Tog ons 


As shown in the table, the study's deliberate creation of non- 
sensical but pronounceable words had an effect on the number of 
persons able to recall the assigned passwords. Just under half of those 
who remembered their computer-generated passwords wereabletodo 


so because the "word" was pronounceable. Association of the 
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assigned word with some phrase or detail was the second most 
popular method for jogging the memory of participants. Of those 
who specified "Other" for their recall method, 20 of 23 said they used 
a word association scheme to help them remember the assigned 
password. 
2. User-created passwords 

The category most remembered by the study’s participants 
was the user-created password. Participants seemed especially able to 
recall this password type during the two smallest recall intervals: 
successful log-ons with user-created passwords outnumbered other 
password categories for the three-day and one-week intervals. Table 
6 summarizes the recall methods used by those participants who 
successfully logged on with their user-created password. 


TABLE 6 
METHODS USED TO RECALL USER-CREATED PASSWORDS 


Participants 
Method of Recall Used using this method 


Wrote it down 


Password I've used before 


Significent detail in my 
life (date, name, etc) 


Invented a pronounceable 
word 


No special method used 


Total successíul log-ons 
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3. Passphrases 
Those participants who correctly recalled their passphrase 
were asked to indicate how they did so. Table 7 presents a summary 
of the recall methods used. 


TABLE 7 
METHODS USED TO RECALL PASSPHRASES 


Participants 
Method of Recall Used using this metned 


Significent detail inemy lite (28%) 
(date, name, etc) 


A phrase I use or hear frequently (39529 
No special method used (185) 


Total successful logi: 





C. EASE OF PASSWORD RECALL 

Study participants were asked to rank the five password types in 
order of the ease with which each could be recalled. Table 8 provides 
a summary of participants” responses. The number of participants 
who ranked each password type first through fifth (easiest through 
most difficult) for ease of recall is noted. The mean score for each row 
of the table is computed by multiplying the number in each column by 
the ranking that column represents, summing the five products, then 


dividing the sum by the number of persons who responded to this 
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question (143). Since a greater ease of recall is indicated by a low 
numerical ranking, the password category with the lowest mean score 
is the one the study's participants collectively judged easiest to 


remember. 


TABLE 8 
RANKING OF PASSWORD MECHANISMS 
ACCORDING TO EASE OF RECALL 





The above ranking of the five password types according to ease 
of recall agrees exactly with previous research (Beedenbender, 1990), 


although mean scores were more tightly bunched in this study. 


D. EASE OF PASSWORD USE 

Study participants were asked to rank each of the five password 
categories according to which of them was easiest to use. "This 
question was posed as an attempt to remove recall criteria from the 
ranking process. Participants were specifically told to assume they 


recalled each password type equally well and to rank them on the 
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basis of ease of use only. Table 9 is organized in the same manner as 
Table 8; mean scores and rankings are determined in the same way. 
The number of persons who responded to this question was 147. For 
ease of use, user-created passwords and associative passwords are 
once again the preferred password methods. The last three password 
types have mean scores that are very close together, indicating 
ambivalence on the part of participants when asked to choose between 


them. 


TABLE 9 
RANKING OF PASSWORD MECHANISMS 
ACCORDING TO EASE OF USE 





The results in Table 9 closely match previous research 
(Beedenbender, 1990). The first and second rankings are identical, 
while the latter three rankings are not ordered the same; however, the 
small difference in preferences between the final three categories 


probably makes this observation insignificant. 
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E. COMPUTER EXPERIENCE OF PARTICIPANTS 

Since this study's participants were students in a graduate 
curriculum, each of them of had previously earned a bachelor's degree 
and most had worked with computer equipment during at least part 
of their careers. 

1. Length of prior computer experience 

Participants were asked to indicate the number of years of 

computer experience they had before taking this study. For the 
purposes of the study, computer experience was defined as formal 
computer education or regular use of a computer at work or at home. 
Table 10 summarizes the study participant’s experience levels. For all 
148 participants, the average number of years of computer experience 
was 5.0; the median number was 4. Eight of the study’s participants 
said they had no previous computer experience; one person had as 
many as 19 years of experience. 


TABLE 10 
STUDY PARTICIPANTS’ COMPUTER EXPERIENCE 


Number of 
Previous Computer Experience Participants 








> 7 years and < 9 years 


2. Types of computers used 
The variety of computer work done by each participant was 
cataloged further by type of computer. All but two of the participants 
said they had used a microcomputer (personal computer) before. 
Following microcomputers, the next most used architecture was the 
mainframe computer. Table 11 gives a summary of this data. 
TABLE 11 


STUDY PARTICIPANTS’ EXPERIENCE 
WITH COMPUTER ARCHITECTURES 


"mcr um 







Microcomputer with modem 






Mainframe computer terminal 
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V. DISCUSSION 


A. ANALYSIS OF SUCCESSFUL LOG-ON RATES 
Raw data presented in Table 1 and their graphical depiction in 
Figure 14 show a declining rate of successful simulated log-ons over 
the course of the six recall intervals. These results are intuitively 
plausible: decreasing success in remembering passwords would be 
expected as time between the first and second computer sessions is 
increased. A statistical analysis provides a more quantitative 

examination of any observed differences in log-on successes. 

l. Description of Analysis 

In order to examine the data for differences of recall rates 
between the various password types at each recall interval, a chi- 
square goodness-of-fit test was employed. This test 1s appropriate for 
random, independent samples in which the observations being tested 
fall into only one of a series of mutually exclusive and collectively 
exhaustive categories (Porter and Hamm, 1986, pp. 183-193). In this 
study, each of the five password tests evaluates to one and only one of 
two possible results: successful log-on or unsuccessful log-on. Since 
the computer program sessions were conducted by each person 
individually, his/her test results areindependent of any other person's. 
The null hypothesis (H,) and alternative hypothesis (H,) used for the 


goodness-of-fit test are listed below. 
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H, There are no significant differences between 
successful simulated log-on rates for the five 
password categories 

H,: Thereare significant differences between successful 
simulated log-on rates for the five password 
categories 
Tests were performed on data for each of the six recall 

intervals and on all interval results collectively. A .Q5 level of 
significance (a — .05) was used as the accept/reject criterion. 

2. Results of Analysis 
Table 12 summarizes the results of the seven goodness-of-fit 

tests performed. Detailed results of each test are presented in 
Appendix C. 
TABLE 12 


RESULTS OF CHI-SQUARE TESTS 
OF DIFFERENCES IN PASSWORD RECALL RATES 


NOSE 
Recall Interval Participants Accept/Reject H, at a=.05 


D 


2 months Reject 
Overall 148 




















Reject 
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The null hypothesis is rejected for the three-day, two-week, 
and two-month recall intervals as well as for the overall data set. 
The results of the six interval tests agree with an intuitive 
analysis of Figure 14. Simulated recall results for the five password 
types are clustered together at the one-week, one-month and one-and- 
one-half-month testing intervals, indicating a similarity in recall rates 
for each category. On the other hand, data at the three-day, two-week 
and two-month intervals are spread across wider ranges of values, 
suggesting there are statistically significant differences in the recall 
rates. 
3. Simulated Log-on Versus Individual Password Recall 
Table 2 reported a question-by-question recall success rate 
for associative and cognitive passwords. A comparison of Table ] and 
Table 2 data reveals that, while all-interval simulated log-on successes 
for associative and cognitive passwords were 32% and 33%, 
respectively, recall rates for those passwords were much higher, 59% 
and 63%, when results are tabulated on a question-by-question basis. 
As would be expected, the success rate when the questions are 
considered one at a time is much greater than when five in a row must 
be correctly answered. This has implications for computer managers 
who might use an associative or Cognitive authentication scheme to 
grant user access. These data suggest that altering the conditions 
which define a log-on success would result in a decrease in the 


rejection of bona fide system users. Since individual question recall 
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was near 60% for both associative and cognitive passwords, requiring 
a user to correctly answer only three of five associative cues or 
cognitive questions would achieve a greater log-on success rate. The 
60% figure likely would not degrade security since these data show 
approximately 40% of associative and cognitive questions are 
answered incorrectly due to forgetfulness. As an alternative to 
lowering the required recall rate, lowering the number of questions 
required for log-on would likely also increase log-on success rates. 
4. Benefits of Permitting Multiple Log-on Attempts 
Table 3 shows substantial differences between recall successes 
on first attempts and follow-on attempts for computer-generated and 
user-created passwords and passphrases. When comparing the success 
rates for associative and cognitive passwords, the differences are not 
as great. In fact, the number of successful simulated log-ons on 
second and third attempts combined 1s near that achieved on the first 
attempt in the associative and cognitive categories. The reason for 
this is clear when the study’s log-on requirements are reviewed. A 
participant who fails on his/her first log-on attempt by incorrectly 
responding to one or more of five questions is asked another five 
questions randomly from the pool of 20 associative cue-response pairs 
or cognitive answers each participant provided. The respondent is 
thus given five new questions to answer. This contrasts with the 
computer-generated password, user-created password and passphrase 


log-on schemes where the participant 1s given three opportunities to 
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correctly recall the same password or passphrase. A person who has 
failed once to remember a password/passphrase is less likely to recall 
that same word/phrase given another attempt than a person provided 
with a set of associative or cognitive questions that differ from those 
asked previously. Given this, one might assert that associative and 
cognitive simulated log-on success rates for each attempt should be 
equal. The decline in success rates for each subsequent attempt in 
these categories might be explained by either or both of two 
possibilities. First, a previously-asked question which the participant 
answered incorrectly might appear again in alaterlog-on attempt (five 
questions are chosen at random from the entire question database for 
each log-on attempt). Second, a participant might become 
discouraged by failure in his/her first attempt and lose interest in 


follow-on attempts. 


B. ANALYSIS OF RECALL MECHANISMS 


1. Significance of Cognitive Password Recall 
While reviewing Table 4, note that most of the questions 
whose recall rates were the highest require objective answers which do 
not change over time (the answers to these questions are established 
facts). There were four such questions in this study: From what 
elementary school did you graduate? What is the name of your 
mother’s hometown?, What was the name of your high school's 


mascot?and What was the model of the first car you owned? Two of 
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these questions were first and second in recall rate; the other two are 
in the top six. Questions in the lower part of the chart ask for more 
subjective responses which may change with time or the whims of the 
participant. The observed ability of study participants to more easily 
recall objective cognitive password questions agrees with the results of 
previous research (Beedenbender, 1990; Hulsey, 1989). The 
implication for the administrator of a computer system which uses 
cognitive passwords is clear: deliberately designing the cognitive 
password questions so that they require objective vice subjective 
answers will increase the authorized user’s password recall rate, thus 
reducing rejections of authorized users. 
2. How Secure Are Our Passwords? 

Regarding data in Table 6, an implication about the security 
of user-created passwords lies in the observation that nearly 70% of 
participants who recalled their passwords did so because the 
passwords were re-used or represented a significant detail of their 
lives. The regular changing of passwords and avoidance of passwords 
containing publicly available personal information (phone number, 
anniversary date, Social Security Number, etc) are tenets of good 
password security. It appears that many of the study’s participants 
either were not aware of or ignored these concepts. 

Conclusions about the probable security awareness of 
participants who recalled the passphrase they created may be drawn 


from the data in Table 7. Over 60% of those who recalled their 
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passphrase were able to do so because it was related to a significant 
detail in their life or a phrase they or someone they knew used 
frequently. Although its length makes it more secure than a password, 
basing a passphrase on personally-related data may make the phrase 
vulnerable to intelligent guessing by outsiders. 

Previous research supports the conclusion that computer 
users may not practice good security when they create their own 
passwords. Beedenbender (1990), Sawyer (1990) and Hulsey (1989) 
found that 77%, 78% and 78%, respectively, of those surveyed used a 
meaningful detail or combination of meaningful details about their 
lives to create their password. While this enables the user to more 
easily remember his/her password, users must be careful to avoid 
building an easily guessable password when they incorporate details 


of their lives into password creation. 


C. PERCEPTIONS VERSUS RECALL RESULTS 

A comparison of data displayed in Table 1, Table 8, and Table 9 
reveals that participants’ feelings about the ease of use and ease of 
recall of a given password type were not necessarily related to the 
simulated log-on success they experienced for that type. Note that, 
with an overall recall rate of 44%, computer-generated passwords were 
the second most frequently recalled password (Table 1). Despite this, 
Table 8 data show computer-generated passwords were subjectively 


rated the least easy to remember. When only participants’ most- 
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easily-remembered rankings are considered, computer-generated 
passwords (chosen by 26 persons) are judged the second most easily 
recalled type. This high ranking is more than offset, however, by the 
large number of participants (77) who ranked computer-generated 
passwords the most difficult to remember. Table 16 provides a 
summary. 


TABLE 16 
COMPARISON OF LOG-ON SUCCESS 


WITH SUBJECTIVE RANKINGS 
Successful 
Ranking Simulated Log-ons Ease of Recall Base of Use 


Computer- Associative Associative 

generated 

Passphrase Cognitive Computer- 
generated 


Associative Computer- Passphrase 
generated 


The Table 16 summary shows the user-generated password was 














the most frequently recalled and also the most preferred from an ease 
of recall and ease of use standpoint. Although associative passwords 
ranked second in both subjective evaluation categories, study 
participants were able to successfully log-on using associative 


passwords less frequently than any other password type. Insight into 
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possible reasons for this seeming discrepancy can be gained by 
remembering the data in Table 2 (discussed in paragraph A.3. above). 
When the recall rates are defined question-by-question vice by log-on 
successes, associative passwords are correctly remembered more 
frequently than any other category except cognitive passwords. It 
might be inferred that participants subjectively ranked cognitive and 
associative passwords more highly because they judged them on a 


question-by-question basis instead of on the basis of log-on success. 


S 


VI. CONCLUSIONS 


A. THE "BEST" PASSWORD TYPE 

The principal goal of this study was to determine which, if any, 
of the five password types tested could be consistently remembered 
better than the others. The study measured password recall by the 
yardstick of simulated computer log-ons, just as would occur in the 
real world. Test results summarized in Table 12 show there was no 
consistent significant difference in the log-on rates of the different 
password types. An identical conclusion can be reached through 
examination of Table 1 and Figure 14. The recall rankings of the five 
passwords shift for every set of intervals. There is no clear overall 
"winner" with respect to memorability. If a given type must be 
declared the most consistently remembered, it is the user-created 
password, which held or shared the highest log-on success ratein three 


of the six recall intervals. 


B. PAPER SURVEYS VERSUS COMPUTER STUDIES 
The above conclusion does not agree with previous research. 
Beedenbender (1990) found graduate students were able to remember 
cognitive and associative passwords at rates two to three times that of 
computer-generated passwords, user-created passwords or 


passphrases. Hulsey (1989) obtained results similar to Beedenbender’s 
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when comparing recall rates of cognitive passwords with those of 
computer-generated and user-created passwords (Hulsey did not test 
passphrases or associative passwords). The failure of cognitive and 
associative passwords to outscore other password categories in the 
study presented hereis almost certainly due to the differing conditions 
under which this study was conducted. 
1. Comparison of Survey Methods 

Hulsey and Beedenbender administered their surveys using 
a paper format. The graduate students who made up their study 
groups created password profiles by filling out questionnaires. After 
three months, the participants were asked to try to recall their 
passwords. In the case of associative and cognitive passwords, 
participants were presented with the entire set of associative cues and 
cognitive questions at once and asked to respond to them. In 
contrast, participants in this study interacted with a microcomputer 
both during the assignment/creation of passwords portion of thestudy 
and during the recall portion of the study. 

2. Comparison with Previous Results 

The randomly selected five associative password cues and 
five cognitive password questions provide less of a jog to the memory 
than seeing all the questions at once. This is likely the reason that 
recall averages for associative and cognitive questions (from Table 2) 
were 59% and 63%, ten percent less than the 69% and 74% achieved 


by participants in the Beedenbender study. The difference 1s even 
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greater when compared with Hulsey's results. His participants 
successfully recalled 82% of their cognitive passwords after three 
months. This study’s lower recall averages occurred even though 
every recall interval was shorter than the three month interval applied 
to all of Beedenbender’s and Hulsey’s participants. 

More important than the comparison of overall recall 
averages 1s the relationship between successful simulated log-ons this 
study measured. When the study’s criterion of log-on completion is 
applied as the metric of success, users found success with computer- 
generated and user-created passwords 10%-15% more frequently than 
with associative or cognitive passwords, a result completely opposite 
from previous research. 

3. Theory Versus Practice 

The bottom-line conclusion one must reach from these 
observations 1s that, while graduate students tested with paper 
questionnaires were able to recall associative and cognitive passwords 
markedly better than other password types, graduate students 
required to complete a simulated computer log-on found these two 
methods the least successful. The difference exposed here is the 
difference between success of a concept in theory and in practice. In 
the closer-to-the-real-world conditions under which this computer- 
based study was conducted, conclusions reached by Beedenbender and 
Hulsey that associative or cognitive passwords are a better means of 


user authentication than moretraditional password systems cannot be 
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supported. As noted in section VI. A. above, data from this study 
produce no clear winner. Perhaps future studies will clarify the 


inconsistencies. 
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APPENDIX A 


Theintroduction and instructions below were presented to study 
participants during their first session with the computer program. 


Most computer systems which employ access controls 
authenticate a user's identity with a password scheme. A 
user who supplies the correct password is allowed access 
to the computer's resources. Each password is 
theoretically unique to each authorized computer user. In 
reality, however, password methods have varying levels of 
security effectiveness. Those methods which are easiest 
to use are often the least secure. 


An individual may employ his/her telephone number as a 
password to gain access to a computer; that person would 
likely have little trouble remembering (and thus using) 
the password. Unfortunately, a person's telephone number, 
even if unlisted, is available to many people. An 
intruder with a small amount of resourcefulness might gain 
unauthorized access to the protected computer by simply 
trying such an obvious possibility. This "intelligent 
guessing" of a person's birthday, anniversary, Social 
Security number, spouse's name or other common knowledge 
is a leading means used to foil computer security 
mechanisms. 


This computer program and your Use on stare. dl cmon 
study to compare the ease of use and security of five 
methods of user authentication. As the program 
progresses, you will be assigned a computer-generated 
password and asked to create a user-generated password, a 
passphrase, a profile of associative passwords and a 
profile of cognitive passwords. Each of these terms will 
be explained as the program continues. 


At the end of the program, you will be given a future 
date on which you are to return to this computer lab and 
run thisprogram again: When you use the program the 
second time, your recall of the five types of passwords 
will be tested. Results of students' recall tests will be 
tabulated and compared to determine which password 
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mechanism offers the best combination of security and ease 
of use. 


Some final words: please do not make any notes about 
the password data you provide today. The ability of each 
person to recall his/her passwords without the help of 
cena tes 1S the most important quantity this study 
seeks to measure. 
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APPENDIX B 


lable B-1 below provides an overview of the password study's 
organization. During their first computer session, participants were 
assigned membership in one of six password recall intervals. Each 
row of the table corresponds to an interval. The data entry phase of 
the study, during which participants created their passwords, 1s noted 
by a D. The recall (observation) phase of the study occurs at the 
interval noted with an O. Subscripts indicate the recall interval to 
which the letter applies. 

TABLE B-1 


ORGANIZATION OF PASSWORD 
STUDY RECALL INTERVALS 


Second Session 


O, 
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APPENDIX C 


Displayed below arethe results of the seven chi-square goodness- 
of-fit tests performed on the simulated log-on data collected by this 
study. The goodness-of-fit calculations were performed using The 
Student Edition of MINITAB (Release 1.1). 

Tests were performed on data for each of the six recall intervals 
and on all interval results collectively. A .05 level of significance 
(a=.05) was used as the accept/reject criterion. Each of the tests 
involved five password categories. Since the number of degrees of 
freedom for a chi-square goodness-of-fit test is simply one less than 
the number of categories of observations, four degrees of freedom 
(df=4) were present in each test. In order to reject the null hypothesis 
in a given test, the test's chi-square statistic must be greater than or 
equal to 9.49, which is the value of y° for a=.05 and df=4 (Porter and 
Hamm, 1989, p. 394). 

The goodness-of-fit test for an equally likely model (in which the 
likelihood of success or failure for each category is equal) arrives at its 
chi-square test value by comparing the observed number in each 
category with the expected value of each category. Thechi-square test 


statistic is computed through use of the formula 
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NO 
i = 


where 
Xo = the chi-square statistic computed from the sample data 
(the "O" subscript refers to the "observed" statistic) 
= the observed value in each category 
E = the expected value in each category 
Chi-Square Test for Three-Day Interval 
CGPW UCPW Peak ASPW COPW Total 
ከ | 0.) TS 20 18 m 13 TS 
Successes 15.00 IO 2010 lioe) 11 618 
Logon 1. 4 6 በ s 45 
Failures po Qon ፡ 111) SANO 5. 1010 
Total 24 24 24 24 24 1. 11 
ChiSq = 0.267+ 1.667 4 709600: IO 
0.444 + 2.778 + 1.000 + 1.778 + 0.444 z 40.37 
dí = 4 
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Chi-Square Test for One-Week Interval 


CGPW UCPW PPHR ASPW COPW To al 
Log-on 13 16 13 1.1 12 65 
Successes 13.00 iG. 00 13.00 1 eC T 


Log-on 11] 8 11 dis le 59 
Parlu res 11:00 111010 191010 11018 TED 
Total 24 24 24 24 24 120 


Sasa = 0.000 + 0.692 + 0.000 + 0.308 + 0.077 + 
IA EUM NOI  EDDO CT “02364 + (00091 = 26350 


df = 4 

Chi-Square Test for Two-Week Interval 

CGPW UCPW PEHR ASPW COPW Total 
Log-on 20 16 B 9 13 67 
Successes 13.40 13.40 1-529410 13.40 13.40 
Log-on 9 153 Ag 20 16 78 


Failures 15.60 15.60 15.60 15.60 15.60 
| 29 29 29 29 29 145 
።”. በ E 0 502 + 1.445 + 1.445 4 0.012 + 


የዜ C C IDA 34] 4—090]0 212.375 
df = 4 
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Chi-Square Test for One-Month Interval 


CGPW UCPW PPHR ASPW COPW Total 
Log-on ፲ 8 7 8 6 36 
Successes 7.20 12.17 qd mo 2 n 
Logon Zu 20 ZU 20 22 104 


Failures 20.80 20.80 20985919 20080 2o 0 
Total 28 28 28 28 Ze 140 
Chisq = 0.006 + 0.089 + 03006 +” ፡ ፡ O m 


0.002 + 0.050 — .፡...ር.፡. |. በፄ፦. 1... =:101:.:..” 
af = 4 


Chi-Square Test Results tor One- and On halk moni iene ae 


CGPW UCPW PEHR ASPW COPW Torcal 
bog- on 2 - 2 5 Z 1.2 
Successes 3.00 SO 7.1] SO SUID 
Logon 18 16 ከር 12 18 85 
Failures 17.00 IO 111] NAO IO 
Total 20 20 20 20 20 100 


ChiSq - 333 + 07333 + NONOUI A rer 
0.059 + 0.059 + 0.059 4+ 01235 4 02059 = DAMA 
df = 4 


The presence of five cells with expected counts less than 5.0 
indicates the chi-square test statistic probably as mes 
accurate. This set of data does not lend itself toward 
goodness of i T SUM 
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Chi-Square Test for Two-Month Interval 


CGPW UCPW PPHR ASPW COPW Total 

Log-on 10 7 2 4 3 26 
Successes 5.20 229. Ego) 5 740 a 

Log-on Jy 16 Zi ie 20 89 
Failures 17.80 dui) L780) 155.50 JA ui 

lotal 23 2.3 ፡ 23 23 ብን 


፣.ከ — 41.231 + 0.623 ተ 1.969 + 0.277 + 0.931 + 
j-202NE 0.1825 :990. 575 53 0.0813. * 0.272 z*10.635 
df = 4 


Legend: 


CGPW - Computer-Generated Password 
UCPW - User-Created Password 

PPHR  - Passphrase 

ASPW_ - Associative Password 

COPW - Cognitive Password 


Expected values are listed below observed values for each 
password category and simulated log-on outcome (success/failure). 
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